headline verdana bold controls in a digital, agile world · 1 day ago · 4 digital controls by...
TRANSCRIPT
-
Headline Verdana Bold
Controls in a Digital, Agile World
-
2
Controls Methods in a Digital, Agile World
-
3
Controls Design MethodsEffective, Risk Aligned Control & Assurance apply to digital programmes just as in ‘traditional’ programmes
Target Operating Model
Strategy Org design People
Technology Data
-
4
Digital Controls by DesignPrinciple Building Blocks for a robust Control Framework in a digital world
Controls Design Authority Group (CDAG) should be formed to
approve the controls design in line with defined minimum controls
standards. An owner should be identified for owning controls
on a more operational basis.
Governance
1 Take Control of the Robots by implementing access, process and General IT controls (e.g. change management) controls over robots.
Perform validation over machine learning & AI processes.
Take
Control
2
Establish a Control Service Centre as node within the Finance
Shared Service Centre(s). Their remit would increase as the team
matures from initially control testing support and reporting to
exception management and test execution for all non-judgemental
controls.
Shared
Services
3 Risks and Controls should be defined in each business process design document. All of the controls, including controls
over Robots are brought together into a Risk and Control Matrix
(RACM) to avoid gaps and for duplication to be managed in a more
efficient manner.
Process
Design
4
The scope of controls should include process controls, access
controls and General IT controls, on all Finanacial system in
scope.Scope
5 Control Awareness Training should be given emphasising key roles and responsibilities as it relates to control ownership, control
operation and effective monitoring to drive accountability and make
effective above and beyond a ‘box-checking’ exercise. Emphasise
new risks and controls of digitisation and robots.
Control
Awareness
6
Application security should be designed to be flexible and modular
so that roles can be Segregation of Duties (SoD) free, or assigned
a mitigating control from an approved list.
Application security should be extended to Robots – what can
they systems and data can they access, what can they share and
distribute?
Application
Security
7 Standard application configuration should be used to automate controls and relevant ‘inherent controls’ called out in the RACM i.e.
controls that are embedded in the application and do not require
additional configuration.
Use Robotics for Automation of Controls where system
configuration or integration is not available.
Automation
8
Automation of Segregation of Duties (SoD) checks, password
resets and workflow approvals should be put in place to maintain
security post go-live.
Security
Automation
9 A control monitoring or testing regime should be put in place to ensure continuous effectiveness of the controls post go-live –
similar to the ‘real-time’ analytics strategy for other areas.
Automated
Monitoring
10
-
5
Controls should be designed into Hybrid Agile solutions from the outsetThe application of adaptive, agile concepts and techniques in a traditional, predictive project. When Financial Controls are included in project requirements, they can be delivered in an agile way.
© 2017. For information, contact Deloitte Touche Tohmatsu
Retain from agile• Flexibility
• Business owns priorities and features
• Rapid delivery of product increments
• Value-driven
• Execution discipline
Controls in Hybrid Agile• Predictability
• Requirements include control objectives
• Flexibility at the control activity level
• Enhanced collaboration with internal stakeholders
• Frequent review of increments – Optimised RACM
• Execution discipline
Retain from waterfall• Predictability (scope/requirements,
resources, schedule, and budget)
• Project controls
• Execution discipline
Approach-agnostic - Integrated processes
and controls
-
6
Control design is integrated into an agile programme by including the requirements in at the discovery stage. It is imperative that this is at the right level – i.e. the control objective level.
The sprint team then has the freedom to design, iterate and build the detailed control activities required to realise the control in the Sprint cycle.
The sprint outcome is then fed forward into the Risk and Control Matrix (RACM), which is iterated and optimized through collaboration between multiple cross-functional sprint teams.
Integrating Controls Design into an agile digital finance programme
Control Objectives
Control Activities
(Detail)Incorporate in
RACM
-
77
DeliverDesign & Build TestHigh-Level Design
Develop Integrated Work Plan
Develop Master Plan
Prioritisation
Business Process Requirements
DevelopProduct Roadmap
Project & Quality Management
Technology/Infrastructure
Organisational Change Management
Deployment
User Acceptance Test
Support
Integration, Parallel Performance
& Regression Test
High-level Design
Sprint 0
Waterfall Thread (i.e. Data Migration)
▪ Number of sprints determined by project
▪ Sprint plans developed iteratively
Design, Build, and Unit/String Test Sprints
Initial Integration & Regression Test Sprints
▪ Integration and
regression testing
starts earlier
▪ Testing is executed as
code is ready
Plan
Design Build
Sample approach for hybrid agile project – where do controls fit-in?
Control Design
Control Requirements
Control Framework
Optimisation
-
8
Robotic Control Automation
-
9
What is Robotic Process Automation (RPA)?
Software!
Robots can provide a ‘thin layer’ of controls over systems where ‘standard’
configuration is not available i.e. Robotic Control Automation!
-
10
What processes are suitable to deploy with Robotic Control Automation?
Anything that is rules based and repetitive – Shared Services is a good place to start
Sample processes suitable for robotics, illustrative
Sample Activities for Robotic Control Automation
• Logging onto web / multiple enterprise applications
• Scraping data from websites / applications
• Copying and pasting data
• Following if/then conditions and rules
• Extracting and reformatting data into reports or dashboards
• Extracting structured data from documents
• Merging data from multiple places
• Making calculations
• Filling in forms
• Reading and writing to databases
-
11
Controlling Robotised Processes
Creating a robust control environment in the digital world – the same fundamentals
• Controls are in place to secure robots and prevent unauthorised use, disclosure, damage or loss of data
• IT operational procedures are in place and provide for well controlled scheduling and monitoring of Robots, and provide reasonable assurance that incidents and exception alerts are identified, escalated and resolved.
• All changes (acquisitions or developments of new systems, system enhancements, upgrades and bug fixes) to SOX relevant robots and their supporting infrastructure are logged, authorised and appropriately tested
• Access to create, change or stop robots must be strictly restricted
• Access to modify a robot posting should be logged and monitored
• SoD between business users and robot managers / developers
• Appropriate system event and security logs are maintained and routinely reviewed for exceptions
• Defined responsibility for monitoring robots performance and exception management or manual resolution
• Processes are in place to routinely review configuration against policies (e.g. tolerances)
• Routinely perform validation over the accuracy of machine learning conclusions (i.e. inappropriate data fed to AI tools can ‘alter’ their performance without going through a change management process)
Co
ntr
ol
Ob
jecti
ves
Co
ntr
ol
Acti
vit
ies
Access and Security Controls
Exception
Managmnt.
Controls
Change
Managmnt.
Controls
-
12
Additional Digital RisksIn addition to the other risks and controls discussed above, increasing digitisation brings new risks that need to be controlled
Digital Risk
Data Governance and Digital
Rights Management
Model Validation and
Testing
Regulatory Compliance
Decision Governance
and Accountability
Business Impact
Assessment
Resilience Planning and Cyber Risk
-
13
Appendix
-
14
Secure the Digital Core…..
Innovation and agility is driven by cloud applications, robotics, AI and ‘edge’ technologies
-
15
Contact
For more information please contact:
Wivine Massaut
Director Deloitte Belgium
+ 32 2 800 22 74
Julie Van der Planken
Director Deloitte Belgium
+ 32 2 800 27 09
Johan Van Grieken
Partner Deloitte Belgium
+ 32 2 800 24 53
mailto:[email protected]:[email protected]:[email protected]
-
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London, EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
© 2018 Deloitte LLP. All rights reserved.